From Cyberlex: Parliamentary Committee Recommends Substantial Revisions to PIPEDA - Part 2 – Consent
(See the original article by Kirsten Thompson, Charles Morgan and Maureen Gillis at McCarthy Tétrault's Cyberlex Blog: Parliamentary Committee Recommends Substantial Revisions to PIPEDA – Part 2 - Consent)
As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.
We have prepared a multi-part series of posts focusing in more depth on each section of the Report.
In this post, we summarize and comment on the Committee’s findings set out in Part 2 of the Report, which addresses the issues of “meaningful consent” and the enhancement of the consent model, exceptions to the rule of consent, and data portability.
The other posts in this series are:
Part 2 – Consent
The concept of consent underpins the entire framework of PIPEDA. Essentially a contract-type model, this approach envisions an enlightened user who freely trades his or her personal information in exchange for services. The premise is that the best protection for personal information is therefore to create the conditions in which individuals are free to use their personal information as they wish. This ethos is stated in PIPEDA ‘s Principle 3 as “The knowledge and consent of the individual required for the collection, use and disclosure of personal information, except where inappropriate.” Further sub-principles articulate other aspects of consent, such as the necessary processes and timing in obtaining consent, types of consent, and how consent is to be made meaningful.
However, this consent model is under pressure from online technologies. The Report acknowledges this and begins by setting out the Office of the Privacy Commissioner of Canada’s (“OPC”) concern that innovation in information technologies has added significant complexity to online interactions and resulted in more ways to use information. As result, few individuals take the time to inform themselves of the conditions of use of their personal information. Compounding the problem, noted some witnesses, is that the privacy policies meant to inform individuals are often unreadable or too vague and consent obtained is illusory.
Notwithstanding the problems with the current consent model, most witnesses supported its continued use, albeit in modified form to address the current shortcomings. Many supported enhancements to implicit consent, including “deemed” consent when the risk of harm is low. Other witnesses cautioned against this approach, noting that if is often difficult to evaluate risk and potential harm beforehand.
Other witnesses supported implementing measures that would make consent more meaningful.
Enhancements to Consent
The overall recommendation of the Committee was ultimately that while consent should remain the core element of the privacy regime, it should be enhanced and clarified by additional means. The Report explores four areas in which the consent model could be enhanced and in some cases makes specific recommendations:
Exceptions to Consent
While consent underpins PIPEDA, the legislation also recognizes situations in which consent should not be required.
In his book The Outliers, Malcolm Gladwell espoused the theory that to achieve excellence in any field, one needed to practice it for 10,000 hours. So…does the 10,000 hour rule apply also to doing something 10,000 times? It may not be a perfect application of the theory but, in light of a recent report, one wonders just how much more practice the Federal Government needs to properly manage Canada’s records.
The CBC reported this week that the National Security Sweep Program revealed more than 10,000 incidents of classified or secure information being improperly stored by federal government employees since last November. While some of these were sensitive paper document left out on desks or filing cabinets not locked, others involved digital information not being properly handled. Okay – we know that 10,000 hours is not the same as 10,000 times, but you get the point.
Of the departments that report (Revenue Canada and the Justice Department were not included in the report), Public Services and Procurement Canada, the Global Affairs Department and, believe it or not, CSIS, were the worst offenders, accounting for over 60% of the infractions.
The Federal government has been the target of hackers over the past couple of years. In 2011, it was revealed that Chinese hackers had gained access to three departments and stole classified information. During the Tax crunch in April of 2014, Revenue Canada’s tax return site was targeted and shut down for several days. And, in June 2015, the government’s websites and their primary email servers were shut down for a couple of hours. In response to those events, Public Safety Canada reported that it had spent $245 million to harden the government’s computer networks.
While most government ministers declined to explain the lapses in security, Ralph Goodale (Minister of Public Safety) did assure the public that, once a sensitive document that was left out in the open was identified, it was locked up. Sort of like closing the stable door after the horse has bolted.
The improper handling of sensitive information in government appears to be pervasive. Whether the cause is poor training or poor information management systems, the result is the same: sensitive information which is improperly secured is a gold-mine for cyber-criminals.
While Public Safety Canada’s solution to build stronger walls is an important part of cybersecurity strategy, strong walls are not enough – one also has to make sure that sensitive information is not left outside those walls. The Federal Government should take the lead in cybersecurity. Unfortunately, Canadians will now question whether that is presently the case.
At the annual eDiscovery Institute conference yesterday, Susan Wortzman spoke about eDiscovery and Information Governance issues in the news. The panel also featured Iris Fischer from Blakes and John Ratchford of Navigator Ltd. Mr. Ratchford mentioned a survey his firm conducted last year that asked Canadians about how well they believed their personal information was being protected by retailers, financial institutions, technology providers and government agencies. The findings were interesting.
Almost three-quarters of those asked were not only aware of recent cyber-attacks, but could name specific North American retailers and Canadian government agencies that had been subjected to a data breach. The fact that specific data breaches were recalled shows that cybersecurity is of major concern to the general public.
Retailers were clearly held accountable by consumers, In the case of stolen credit cards, for instance, while most people conceded that the criminal hackers were primarily responsible for the breaches, 65% also assigned blame to the retailers rather than the banks, payment systems or credit card issuers whose technology was actually compromised.
Although survey respondents are concerned about organizations that hold their more detailed private information, such as government agencies and banks, the vast majority of them were confident that these organizations had sufficient security processes in place to safeguard the data.
Almost two-thirds of the people said that the government should impose much stricter rules around the security of personal and customer information held by others. They also want immediate public disclosure of any compromising of their data.
Protecting data is certainly important. However, as we have often said, walls can and will be breached. When this occurs, having an information governance and cybersecurity response plan in place will address the immediate demand from the public for disclosure and remediation, and may even keep your organization out of the headlines.